Solved

Anonymous Access - Is it safe?

Posted on 2014-02-05
7
316 Views
Last Modified: 2014-02-11
I'm involved in a debate over the safety of allowing internal anonymous (read only) access to a SharePoint 2010 (Enterprise) WCM site.

They have 2 main SharePoint areas, one WCM and the other Collaboration. SharePoint is only accessible within the company network. Authentication is NTLM against 3 trusted domains. Due to corporate aquisitions there are a few hundred employees currently on non-trusted domains.

It's been proposed that we enable anonymous access on the WCM site so all employees can see company announcements. However there's a big push-back against this for 'security reasons'. Nothing specific, just a feeling that opening access somehow opens the collaboration site and other data to attack.

(I will also mention, Federated Services has been considered as an alternative access method for our extra users, but the hardware and configuration requirements are very tight for our timescales.)

Considering that access is only possible from within the company network, there is intrusion detection software configured on all requests to SharePoint, access is read only etc, am I missing something? Should anonymous access to non-sensitive data (admittedly in the same farm as sensitive data) be of major concern to anyone?
0
Comment
Question by:Jamie McAllister MVP
  • 4
  • 2
7 Comments
 
LVL 14

Expert Comment

by:SneekCo
ID: 39836756
Anonymous access is very useful in the situation your describe. The biggest danger is human error. If for example some creates a site collection that inherits the anonymous access and it is not explicit disabled, then data could be exposed. Consider creating an additional web application where anonymous access is enable and have all other data in a web app that has anonymous disabled and you lower the risk of an error. I have done that on several occasions and it has worked well.

Hope that helps
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838192
I would suggest to configure access for Authenticated users instead of Anonymous. if not, there are certain groups like domain users which you can use where all the users from domain are member of that group, you can configure access for this group in each domain as a work around.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838404
Can anyone tell me an absolute show-stopper for Anonymous access within our network?

Or alternatively an absolute assurance that Anonymous is fine in the scenario I described?

At the moment I need to feed into the decision for a go/no go on anonymous access.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838410
It is fine but your security team may not approve or might be an issue in audits.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838531
What specific grounds might they not approve on if it is safe?
0
 
LVL 31

Accepted Solution

by:
Jamie McAllister MVP earned 0 total points
ID: 39838748
Spencer Harbar was kind enough to provide some input to this debate on a private forum. I can't cross post the text in full but a summary of the advice is this;

Such content should always be authenticated. Factors such as the content being on the Internal Network, or having IDS in place do not influence the risk management. Having ACL in place would significantly reduce the risk of outages from malicious intent.

Suggested approach is creating accounts for all users, opening up the WCM site to All Authenticated Users if necessary, but always having ACL in place.

Thanks for your input on the question.
0
 
LVL 31

Author Closing Comment

by:Jamie McAllister MVP
ID: 39849632
Spencer Harbar advised against Anonymous Access.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now